1.6.4 Procedure to enable HTTPS connections (Linux 8)
Set up the user_httpsd.conf file, and then store the private key file and SSL server certificate file in the specified folder to enable HTTPS connections on the Web server.
Before you begin
-
Log in to the JP1/AO server as a user with root permissions.
-
Stop the JP1/AO service.
- For non-cluster systems:
-
Execute the hcmds64srv command with the stop option specified.
- For cluster systems:
-
Use the cluster software to bring the service offline.
To enable HTTPS connections:
-
Open the user_httpsd.conf file from the following location:
Common-Component-installation-directory/uCPSB11/httpsd/conf/user_httpsd.conf
- Within the user_httpsd.conf file, do the following:
-
Uncomment the following lines by removing the hash [#] signs:
#Listen 22016
through
#HWSLogSSLVerbose On
with the exception of #SSLCACertificateFile and #Header set Strict-Transport-Security max-age=31536000, which must remain commented out.
For an IPv6 environment, remove the hash mark (#) at the beginning of the lines #Listen [::]:22016.
-
Edit the following lines as required:
ServerName in the first line
ServerName in the <VirtualHost> tag
SSLCertificateKeyFile
SSLCertificateFile
#SSLCACertificateFile
When using a certificate of the certificate authority, delete the hash sign (#) from the line #SSLCACertificateFile, and specify the certificate of the certificate authority by using an absolute path.
- Important
-
To block non-SSL communication from external servers to the host, comment out the lines Listen 22015 and Listen [::]:22015 by adding a hash mark (#) to the beginning of each line. After you comment out these lines, remove the hash mark (#) from the line #Listen 127.0.0.1:22015.
When editing directives, be aware of the following:
- Do not specify the same directive twice.
- Do not enter a line break in the middle of a directive.
- When specifying paths in the following directives, do not specify symbolic links or junction points.
- When specifying certificates and private key files in the following directives, specify PEM-format files.
- Do not edit httpsd.conf and hsso_httpsd.conf files.
The following is an example of how to edit the user_httpsd.conf file. The numbers represent the default ports.
ServerName host-name Listen [::]:22015 Listen 22015 #Listen 127.0.0.1:22015 SSLEngine Off #Listen [::]:22016 Listen 22016 <VirtualHost *:22016> ServerName host-name SSLEngine On SSLProtocol +TLSv1.2 SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-GCM-SHA256 # SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256 SSLCertificateKeyFile "Common-Component-installation-directory/uCPSB11/httpsd/conf/ssl/server/httpsdkey.pem" SSLCertificateFile "Common-Component-installation-directory/uCPSB11/httpsd/conf/ssl/server/httpsd.pem" # SSLCertificateKeyFile "Common-Component-installation-directory/uCPSB11/httpsd/conf/ssl/server/ecc-httpsdkey.pem" # SSLCertificateFile "Common-Component-installation-directory/uCPSB11/httpsd/conf/ssl/server/ecc-httpsd.pem" SSLCACertificateFile "Common-Component-installation-directory/uCPSB11/httpsd/conf/ssl/cacert/anycert.pem" # Header set Strict-Transport-Security max-age=31536000 </VirtualHost> HWSLogSSLVerbose On
-
- Start the JP1/AO service.
- Update the JP1/AO URL by using the hcmds64chgurl command to do the
following:
- Change the protocol from http: to https:
- Change the port number used for secure communication.